Looking for hard numbers to back up your sense of what's happening in the cybersecurity world? We dug into studies and surveys of the industry's landscape to get a sense of the lay of the land—both in terms of what's happening and how your fellow IT pros are reacting to it.

11 top cybersecurity statistics at-a-glance

90% of remote code execution attacks are associated with cryptomining.

92% of malware is delivered by email.

56% of IT decision makers say targeted phishing attacks are their top security threat.

77% of compromised attacks in 2017 were fileless.

The average ransomware attack costs a company $5 million.

It takes organizations an average of 191 days to identify data breaches.

69% of companies see compliance mandates driving spending.

88% companies spent more than $1 million on preparing for the GDPR.

25% of organizations have a standalone security department.

54% of companies experienced an industrial control system security incident

61% of organizations have experienced an IoT security incident

Ransomware is down, cryptomining is up

With last year's outbreak of NotPetya, ransomware—malicious programs that encrypt your files and demand a ransom payment in bitcoin to restore them—became one of the most talked about forms of malware of 2017. Yet at the same time, the actual rates of malware infection began to plummet around the middle of the year, until by December 2017 it represented only about 10 percent of infections.

What happened? Well, it seems attackers have figured out that you catch more flies with honey than with vinegar, and rather than demanding your victims send you bitcoins, you can just infect their computers with bitcoin-mining software without their noticing instead. By early 2018, 90 percent of all remote code execution attackswere associated with cryptomining.

Email is still the problem

Are you tired of sending out nagging notes to company staffers insisting that they not just click on any old email attachments? Well, we're afraid you're going to have to keep at it, because according to Verizon's 2018 Breach Investigations report, 92 percent of malware is still delivered by email.

Fileless attacks are on the rise

But the days when malware threats arrived in the form of .exe files attached to those emails— files that antivirus programs could easily assess and block—are falling behind us. Instead, so-called fileless malware is becoming more and more common. Fileless attacks exploit software already installed on the victim's computer rather than attempting to download large executables; for instance, they might execute in a browser plug-in, as Microsoft Office macros, or exploit vulnerabilities in server programs to inject malicious executable code, as was the case with the Equifax breach. All told, 77 percent of compromised attacks in 2017 were fileless, according to the Ponemon Institute's "The State of Endpoint Security Risk Report."

Idle hands are extremely expensive

Sometimes it can be difficult to explain to company management exactly what the bottom line is when it comes to cyberattacks. After all, barring an actual theft (or a ransom payment), money isn't flowing out of the breached company's bank account, so what's the big deal, really? Ponemon offers one way to think about it in its report on the true cost of ransomware: the biggest hit to the company's balance sheet will come in the form of enforced employee idleness as wrecked networks and dysfunctional computers provide no means to actually do work. Ponemon pegs the average cost of a single attack at $5 million, with $1.25 million—a quarter of the total—attributable to system downtime, and another $1.5 million (30 percent) to IT and end user productivity loss.

Breaches that linger

You probably aren't going to stop all the attacks on your infrastructure; that's why it's necessary to identify breaches that have already occurred and repair the damage ASAP. On that score, things seem to be improving ... barely. Ponemon's 2017 Cost of Data Breach study found that organizations were able to identify data breaches on average within 191 days. That might sound like a shockingly high number—it's more than six months!—but it's marginally better than 2016's figure, which was 201 days.

The friendly hand of government

It's often hard to find people in business having anything nice to say about government regulations. But according to Thales' 2018 Data Threat Report, when it comes to securing sensitive data, companies are willing to give credit to regulators when credit is due. According to Thales' survey, 64 percent of respondents around the world—and 74 percent of those in the U.S.— feel that adhering to compliance requirements is a 'very' or 'extremely' effective way to keep data secure. Perhaps that explains why, according to the 2018 IDG Security Priorities Study, 69 percent of companies see compliance mandates driving spending.

GDPR isn't cheap

That said, that compliance can be pricey, especially when it comes to the granddaddy of all data regulations, the European Union's GDPR. In a 2017 PwC survey of 300 tech execs at US, UK, and Japanese companies doing business in the EU, nearly everyone—88 percent—said their company was spending more than $1 million on preparing for the GDPR in the run-up to its full May 2018 implementation. 40 percent say they spent a whopping $10 million or more. All that spending is good business for somebody: the same survey revealed that 69 percent of execs planned to hire an outside technology firm to help them with compliance.

Does security stand alone?

Does your company have a security executive in the c-suite, and if so, who do they report to? The question goes beyond upper-echelon office politics and gets to the heart of who does what in a company, and how they collaborate. For instance, in 75 percent of organizations surveyed in the 2018 IDG Security Priorities study, security and IT teams are part of the same department, with 25 percent having a standalone security department. But if a company has a dedicated CSO or CISO, they're more likely to have security siloed into a separate department—in such organizations, that happens 40 percent of the time.

Industrial control systems are vulnerable

Industrial control systems—specialized computer hardware and software that provide the smarts for everything from manufacturing plants to nuclear power stations—are tempting targets for hackers. According to the Business Advantage State of Industrial Cybersecurity 2017 report, 54 percent of companies sampled experienced an industrial control system security incident within the past twelve months—and 16 percent had experienced three or more.

One possible explanation? Not enough care spent controlling who exactly can access these crucial systems. The report found that 55 percent of sampled companies allowed external parties, such as partners or service providers, to access their industrial control network.

And so are IoT systems

Internet-connected industrial control systems represented the first wave of the internet of things; today, there are millions of IoT devices out there, representing a tempting attack surface that you need to protect. A 2018 report from Trustwave produced some dispiriting numbers when it comes to IoT security:

64 percent of surveyed organizations have deployed IoT devices, and another 20 percent plan to do so within the next year

But only 28 percent of those organizations consider their IoT security strategy to be "very important," and more than a third think it's only somewhat important, or not important at all

Take those two facts into consideration, and is it any surprise that 61 percent of those surveyed have already experienced an IoT security incident?

We're more proactive than reactive

To end on a hopeful note, let's take a look at the factors that drive security spending, according to the 2018 IDG Security Priorities Study. (Respondents could choose more than one factor, which is why these add up to more than 100 percent.)

74%: Best practices

69%: Compliance mandates

36%: Responding to a security incident that happened in own organization

33%: Mandates from board of directors

29%: Responding to a security incident that happened in another organization

Why do we say that's hopeful? Well, it looks like organizations are approaching their security spending proactively, based on plans for the future and guidelines laid down by regulations, rather than playing catch-up and responding to attacks. What more can a CSO ask for?